freeipa

Clone
Source Code
GIT

#6389 [RFE] Allow client commands without enrolling
Closed: duplicate 6 years ago by rcritten. Opened 8 years ago by mkosek.

Closed: duplicate
Reopen Issue

In some environments (like containers), it is sometimes desirable to run FreeIPA client commands without enrolling a full-blown client (and polluting FreeIPA hosts). It would be good if client could be invoked with just Kerberos ticket or a password.

Workaround: how to run service Vault without enrolling client

Preparation: prepare a clean client VM and a server VM (called ipa.rhel73 in this case) with Vault configured. Create a service (vaulttest/ipa.rhel73@RHEL73) on the server and download the keytab to the client (vaulttest.keytab).

Prepare Kerberos authentication

$ cd /etc/vaulttest
$ sudo dnf install freeipa-client freeipa-admintools
$ cat krb5.conf 
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 default_realm = RHEL73
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]

RHEL73 = {
  kdc = ipa.rhel73
  master_kdc = ipa.rhel73
  admin_server = ipa.rhel73
 }

[domain_realm]  
 .rhel73 = RHEL73
$ export KRB5_CONFIG=/tmp/vaulttest/krb5.conf
$ kinit -kt vaulttest.keytab
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: vaulttest/ipa.rhel73@RHEL73

Valid starting       Expires              Service principal
10/10/2016 09:44:30  10/11/2016 09:44:30  krbtgt/RHEL73@RHEL73
    renew until 10/17/2016 09:44:30

Prepare client configuration

$ cat default.conf 
[global]
host = None
server = ipa.rhel73
basedn = dc=rhel73
realm = RHEL73
domain = rhel73
xmlrpc_uri = https://ipa.rhel73/ipa/xml
enable_ra = True
mode = production

$ sudo cp default.conf /etc/ipa/default.conf

Prepare NSS database that client uses

$ wget -O ca.crt http://ipa.rhel73/ipa/config/ca.crt
sudo sh -c "echo randomblob > /etc/ipa/nssdb/pwdfile.txt"
sudo certutil -d /etc/ipa/nssdb/ -N -f /etc/ipa/nssdb/pwdfile.txt
sudo certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i ca.crt
sudo chmod 0644 /etc/ipa/nssdb/*.db
sudo chmod 0600 /etc/ipa/nssdb/pwdfile.txt
$ certutil -L -d /etc/ipa/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

IPA CA                                                       CT,C,C

Test with Vault commands

$ ipa vault-add service_secret --service vaulttest/ipa.rhel73@RHEL73 --type=standard 
----------------------------
Added vault "service_secret"
----------------------------
  Vault name: service_secret
  Type: standard
  Owner services: vaulttest/ipa.rhel73@RHEL73
  Vault service: vaulttest/ipa.rhel73@RHEL73
$ echo pshhh > input.txt
$ ipa vault-archive service_secret --service vaulttest/ipa.rhel73@RHEL73 --in input.txt 
-----------------------------------------
Archived data into vault "service_secret"
-----------------------------------------
$ ipa vault-find --service vaulttest/ipa.rhel73@RHEL73
---------------
1 vault matched
---------------
  Vault name: service_secret
  Type: standard
  Vault service: vaulttest/ipa.rhel73@RHEL73
----------------------------
Number of entries returned 1
----------------------------
$ ipa vault-retrieve service_secret --service vaulttest/ipa.rhel73@RHEL73 --out output.txt 
------------------------------------------
Retrieved data from vault "service_secret"
------------------------------------------
$ cat output.txt 
pshhh

The ipa command can store a suitable krb5.conf file in a .dotdir the first time it is run and it figures out it is not enrolled. A minimal krb5.conf file will include a list of KDCs that can be contacted the default realm etc..
The first run will require the user to specify a server name or try to discover it. after this first run the ipa command will try to see if there is a .dotdir in the home if it is run on an unenrolled client. If there is it will proceed setting the KRB5_CONFIG variable to the .dotdir/krb5.conf
It's be nice if in the same .dotdir we create also a default.conf file and a nssdir for the CA cert, then we have all the needed data for any following run.

+1 to simo's suggestion. It also eliminates the need for root.

I wonder if a user should be able to override the host settings by having their own dotdir (I don't see why not).

For discovery I think domain will be needed as well if a server isn't provided.

H: you can always explicitly specify IPA config options using the -e option of the ipa command, so this should more or less already work

Related ticket: #6386.

Martin pointed me to this ticket a couple of days ago. I haven't had time to look into it.

My Ansible playbook and my work on a IPA vault plugin for Custodia could both benefit from such a feature. It should be possible to auto-generate all config files with just the FQDN of the server. The realm and basedn can be inferred from the domain part of the FQDN. The auto-generate script should also take an optional path to ca.crt.

master:

  • 1e6a204 Set explicit confdir option for global contexts
  • d491625 Use env var IPA_CONFDIR to get confdir
  • c2934aa Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used

master:

  • 34bd2b6 Fetch correct exception in IPA_CONFDIR test

master:

  • 1300381 Add 'env_confdir' to constants

master:

  • fe6f2b6 scripts, tests: explicitly set confdir in the rest of server code

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
8 years ago

Closing as duplicate of https://pagure.io/freeipa/issue/6621

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
6 years ago

Log in to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.